In this forensic challenge, we have access to a Windows RAM dump. The clue is
"HBgary say waht?!" so we know it is an email related problem. Let's fire up
an hex editor and volatility. Let's look at the processes that were running at
the time of the dump:

We can see two interesting things: a Thunderbird process and a GnuPG process.
Let's try to find PGP armored data by looking for "BEGIN PGP" in the memory. We
find a few encrypted messages and a public key:

We now have to find the private key to be able to decipher the messages. Of
course the private key is not present in its armored form in the memory, so we
have to look for its binary counterpart. We know that the private key contains
all the data of the public key
(RFC 4880),
therefore we just have to look for a few bytes of the public key in the memory.
Let's look at what the public key looks like:

Let's look for "d5 df 3d 1e 6a 72 99 be df ba b2 f5 d2 ab 44". It yields three
results, two of which are the public key in binary form, and the last is longer
and somewhat different but has a lot of the public key data in it. It must
therefore be the private key:

We now just have to dump the private key (this is the armored version):